Financial services companies operate in data-rich environments that are constantly shifting, opening them up to new vulnerabilities and making them significant targets for cyberattacks. Adopting a Zero Trust-based approach to security architecture is essential for the companies to maintain the cyber resilience needed to avoid damaging attacks.
Leveraging Zero Trust as a framework for safeguarding data and infrastructure directly addresses the many IT security challenges that banking and capital markets companies face. These companies must combat cybersecurity threats, protect valuable digital assets, secure remote workers and meet stringent compliance requirements that are unique to the industry. Embracing Zero Trust not only involves implementing new solutions, but also requires a different approach and change in mindset — one that encompasses all aspects of the business and focuses on enterprise security.
Addressing industry challenges
A Zero Trust security environment is characterized by a “never trust, always verify” stance in which all users inside and outside an organization’s network are identified, authenticated, authorized and continuously validated. Maintaining airtight security is especially crucial in the financial services industry, in which organizations represent high-value, primary targets for threat actors. Any loss of a customer’s digital assets or data to a security breach can cause severe reputational harm, not to mention potential fines and penalties.
When implementing a Zero Trust architecture in an operational environment, however, banking and capital markets companies face many challenges. For one, organizations are challenged to keep up with the quickly changing enterprise security landscape, in environments where change has traditionally been slower and approached more cautiously.
Of course, the pandemic forced a fast change in financial services. The traditional paradigm of workers sitting in corporate offices connected to a single corporate network has been replaced by a predominantly remote workforce. The shift to remote working has greatly increased risk, broadened the attack surface and multiplied the number of network access points that need to be continuously secured.
In addition, digital transformation initiatives at financial services companies are resulting in more complex technology systems. The combination of increased remote working and the ongoing shift to hybrid cloud computing environments is presenting new challenges for keeping networks secure. This, along with the growing sophistication of cyberattacks, has created the need for adopting highly advanced security initiatives.
Another challenge is the prevalence of legacy technology. Many banking and capital markets companies maintain systems with legacy infrastructure and applications that run high-value transactions. These legacy systems can be difficult to patch and, except for day-to-day operations maintenance, difficult to interact with — making their protection a challenge.
Another key challenge is that banking and financial services companies must comply with myriad data and privacy regulations. Among those specific to institutions such as payment processors is the Payment Card Industry Data Security Standard (PCI DSS). In fact, the updated PCI DSS 4.0, published in 2022, was built with a Zero Trust mindset. Among the new requirements is that organizations need to adopt stronger authentication standards for payment and control access logins.
Five key considerations
One reason Zero Trust has gained momentum in the last few years is because the technology that drives the framework has evolved to the point where it is now easier to implement. For example, identity management software and platforms have matured significantly, and key security cornerstones like multifactor authentication have become more widely adopted and acceptable to users. Other developments have eased adoption, including improvements in the enterprise security tools offered by cloud providers.
Implementation of a Zero Trust architecture requires careful planning combined with applying advanced technology around crucial aspects such as identity protection. Five key considerations for financial services companies when implementing Zero Trust are the following:
1. Change your mindset. A basic tenet of taking a Zero Trust approach is to acknowledge that the modern enterprise no longer has a traditional network edge. That is, networks are everywhere. They can be on premises, in the cloud or a combination of the two, with resources and workers accessing data from countless locations. The prevalence of legacy systems and applications in the financial services industry increases the need for new ways of thinking when dealing with network security.
Organizations need to change their thinking to a “secure by design” mindset, where security is baked into anything and everything being added to their technology landscape. For example, organizations need to embrace a DevSecOps approach, where security is embedded into all aspects of the development process.
2. Know your assets. When embarking on the Zero Trust journey, it is imperative that financial services companies be fully aware of what their technical landscape encompasses, and how best to protect those assets. For banks and capital market firms, it’s important to note areas of the legacy estate that have the highest value — the systems that process the highest volumes of transactions and make the business the most money.
Financial services companies generally struggle with knowing what assets should be protected, and how. Organizations must ask questions such as: “What services need to be protected the most?” and “How can we best protect these assets?” As part of this exercise, companies need to carry out fundamental initiatives such as defining who has access to what assets, and determining if the current access rights will remain valid when applied to those assets going forward, such as when third-party accounts need to gain access.
3. Focus on identities. Knowing who has access to what leads to the next key consideration, which is placing a very strong emphasis on identities. Successful identity and access management is a foundation of Zero Trust, because identity is the fundamental component of network security that binds everything together.
The complexity of networks at financial services companies includes managing legacy infrastructure that is mixed with newer cloud technologies such as SaaS and PaaS. Keep in mind that identities today can be human or non-human, and an effective digital identity strategy looks at securely connecting both people and machines to data and services. The days of well-defined endpoints are gone, which places a premium on knowing exactly who and what is accessing a network.
4. Put policies into place. There are no simple turnkey solutions to solving the challenges of asset protection and identity management. With Zero Trust, it’s not just about identities, but also about the policies around them. When implementing a Zero Trust architecture, organizations need to put the right policies into place and manage those policies on an ongoing basis.
Setting the right policies goes back to having a clear understanding of what your assets and services are and developing a well-defined segmentation of your services, along with finer granularity of control for the identities accessing them. When a cloud-centric digital transformation is taking place, organizations need to adopt clear security and Zero Trust policies, and apply them to key activities such as implementation and deployment of access control.
5. Have the right skills. As financial services companies make the transition from legacy technology to more advanced hybrid environments, many organizations are concerned that they lack the necessary skills, knowledge and expertise in important areas such as cloud and network security. To successfully undertake a Zero Trust initiative, it is essential that companies have in place people with the right skills — from expertise in applying the right configurations to the know-how for deploying new cloud-based tools.
Because maintaining a strong cybersecurity stance is so important for banking and capital markets companies, they should place a premium on developing home-grown talent or reskilling employees for security-related roles. Still, professionals with the necessary background and expertise in cybersecurity are in short supply, which makes it difficult to build a fully staffed security team in-house.
Why DXC?
Financial services organizations across the globe rely on DXC Technology as an experienced, trusted partner. DXC offers the skills, knowledge and expertise to support financial services companies’ Zero Trust initiatives. DXC has decades of experience in both implementing advanced cybersecurity solutions and helping financial services companies across the globe deal with the complexities of advanced networks and systems. DXC professionals have the expertise, for example, to classify data and define the roles of grouping services to know what permissions are needed for Zero Trust to be successful, as well as to implement the technologies and solutions necessary to build out your Zero Trust architecture.
DXC works closely with banking and capital markets companies to clearly understand their business, and has a long history of developing solutions, delivering platforms and helping organizations solve complex technology challenges. Few companies possess the breadth of services and solutions, along with the global reach, that DXC provides to financial services institutions. And DXC’s full range of security expertise includes deep experience in Zero Trust architecture, and identity and access management, with over 450 million digital identities under management, along with world-class detection and response capabilities.
Conclusion
To confidently provide accurate and personalized offerings to customers, banking and capital markets companies must be truly secure. Zero Trust is fast becoming the de facto standard for managing network infrastructure, data and user access in the financial services industry. A Zero Trust architecture allows organizations to wrap effective security initiatives and practices into a single strategy that addresses the challenges facing security professionals.
When it comes to adopting a Zero Trust approach, many organizations already have the constituent parts required. Successful adoption requires taking on a Zero Trust mindset, knowing your security environment inside and out, and then putting the right skills, policies and resources in place to make it happen. Having constant validation against a consistent set of rules provides a security landscape that financial services customers demand and deserve.
About the authors
About the authors
Mark Hughes is president of Security for DXC Technology. He is responsible for DXC’s Security business including cyber defense, digital identity, secured infrastructure and security risk management. He previously led DXC's offerings and strategic partners organization. A Royal Military Academy graduate and British Army veteran, Mark serves on the World Economic Forum’s Global Cybersecurity Board. Connect with him on LinkedIn.
Jeremy Donaldson, managing director of EMEA Banking and Capital Markets for DXC Technology, has more than 25 years of experience in applying technology solutions to solving complex business challenges in numerous management and consulting roles. Connect with Jeremy on LinkedIn.
Jay Hibbin, client executive for DXC Technology’s cloud practice, has close to 30 years of experience in the IT industry, most recently, in helping organizations build solutions that enable successful digital transformation. Connect with Jay on LinkedIn.